Detecting and evicting malicious vehicles in a vehicle communications network

ABSTRACT

A method, computer program product and computer system maintain a list that includes identifiers of vehicles determined by the processor of a detective vehicle to have an innocent status. The processor selects, for each sub-period of a predefined time period, a target vehicle from a plurality of vehicles, where the detective vehicle communicates either directly or indirectly with each vehicle of the plurality and accepts communications from the plurality, where a portion of the plurality of vehicles and the detective vehicle are within a vehicle-to-vehicle communication range, and where vehicle-to-vehicle communication does not utilize infrastructure network connectivity. The processor obtains, over a vehicle-to-vehicle communication or a network connection, messages regarding a status of the target vehicle. The processor determines the status of the target vehicle, where the status is one of: malicious or innocent. The processor notifies the vehicles associated with the identifiers on the list of the determination.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation-in-part of U.S. patent applicationSer. No. 14/575,793, filed on Dec. 18, 2014, entitled “System and Methodfor Detecting and Evicting Malicious Vehicles in a VehicleCommunications Network,” which is a continuation of U.S. patentapplication Ser. No. 12/872,569 filed on Aug. 31, 2010, entitled “Systemand Method for Detecting and Evicting Malicious Vehicles in a VehicleCommunications Network,” which claims the benefit of U.S. ProvisionalApplication No. 61/238,681, filed on Aug. 31, 2009, the entiredisclosures of which are incorporated herein in their entirety.

FIELD OF THE INVENTION

The present invention relates to malicious behavior detection andmalicious vehicle detection in a vehicle communications network.

BACKGROUND OF THE INVENTION

Agents interested in malicious behaviors include all entities that mayengage in such behaviors and/or profit from it. These agents are groupedinto three categories according to the amount of resources they may haveto cause harm to the vehicular network:

The first category of attackers are solitary attackers who mainlyoperate on their own.

They have limited monetary resources and use the Internet as their mainsource of information. Examples of attackers in this category include:Unscrupulous or opportunistic individuals; Computer hackers; Automotive,electronic, or computer hobbyists; and Very loosely organized groups.

The second category of attackers are typically one or more groups ofindividuals who are moderately coordinated, communicate on a regularbasis, have moderate resources, can obtain information not publiclyknown or available. Examples of attackers in this category include:Corrupt Insiders and Unscrupulous Businesses.

The third category of attackers are highly organized, have access toexpansive resources, can infiltrate organizations and obtain closelyheld secrets, may consider life and individuals expendable to achievetheir goals, and may be supported by governing bodies of foreignnations. Examples of attackers in this category include: Organized Crimeand Foreign nations.

Some of the potential motivations that may drive agents to exhibitmalicious behaviors within a vehicular network, in an order ofincreasing impact, are: Sadistic pleasure in harming other vehicles orthe entire vehicular network; Preferential treatment from the vehicularnetwork for the purposes of evading law enforcement, assisting incriminal operations, or diverting attention from a primary attack;Prestige in a successful hack or a new virus launch; Manipulate trafficauthority decisions; Acquiring personal advantages in driving conditionsor economic gain; e.g., committing insurance fraud or car theft; Promotenational, political, and special interests; and Civil, political andeconomic disruption, including warfare.

Security attacks and malicious behaviors based on communicationsactivities in a vehicle-to vehicle (V2V) communications environment canbe categorized as follows:

1) Attackers could modify the communication content coming from theirvehicles' software or hardware, including: inaccurate trafficconditions, including false warnings related to forward collisions,blind spot situations, lane changes, unsafe passing; and inaccuratedriving conditions or patterns, such as false statements about speeds,braking, directions, positions, and intersection movement.

2) Attackers could modify the communication functionalities of theirvehicles' software or hardware to carry out attacks, such as one of theattacks above and the following: modifying transmission timing intervalsof messages; delaying the delivery of messages; sending more messagesthan the vehicle is designed to; not sending messages for a long enoughtime interval; and disabling the functioning of a vehicle's software,say, because of privacy concerns. Attackers could attempt to impersonatevehicles or other network entities (e.g., servers) to cause harm to thevehicular network operations. Attackers could act as intruders andattempt to use data stored on vehicles or other network entities (e.g.,servers) to cause harm to the vehicular network operations.

In order to ensure safe and secure operation of a vehicle communicationssystem, malicious use of the certificates to cause harm to the vehiclesnetworks and applications need to be detected so that these certificatescan be revoked. Malicious vehicles used to cause significant harm to thevehicle networks and applications need to be detected and “evicted” fromthe vehicle communications network. If vehicles have frequentinfrastructure network connectivity, they can rely on trusted servers inthe infrastructure network to detect and respond to security threats.

These infrastructure servers could collect information from a largenumber of vehicles and have sufficient processing capabilities toanalyze the data to detect malicious activities. However, when vehicleshave sporadic or zero infrastructure connectivity along the roads,attackers could perform attacks without being monitored by any highlytrusted entities such as infrastructure servers. Vehicles can no longerrely on any infrastructure-based servers to help detect maliciousactivities. As a result, attacks will have much higher chances to besuccessful, and attackers would have a much higher chance of beingundetected. Vehicles would have to rely on themselves and interactionswith other potentially untrusted vehicles to detect malicious activitiesand mitigate their impacts.

In V2V communications, particularly with no infrastructure networksupport, it is essential for the vehicles to be able to rely onthemselves and distributed techniques to detect malicious communicationsactivities and to mitigate the impact of malicious vehicles by evicting(or eliminating) suspected malicious vehicle from the system (i.e., toignore the messages sent from the suspected malicious vehicle). Such acapability allows the vehicles to communicate securely without beingexcessively impacted by malicious activities without relying oninfrastructure network connectivity.

Several approaches exist in the prior art in which vehicles decidelocally whether or not to evict a suspected malicious vehicle from thesystem. Two methods have recently been considered for V2V vehicularcommunications networks are: voting mechanisms, and ‘Sacrifice’ byindividual vehicles, in which a suspected device is evicted togetherwith its ‘accuser’. (This is also sometimes termed “suicide for thecommon good”).

In a voting mechanism, such as LEAVE described by T. Moore et al. “Fastexclusion of errant devices from vehicular networks”, Proceedings IEEESECON, San Francisco, Calif., Jun. 16-20, 2008, vehicles vote byexchanging signed claims of impropriety of another vehicle. Each vehiclethen adds these warning messages to its ‘accusation list’. Once thewarning votes against a vehicle exceed a threshold, the accused vehicleis placed on a ‘blacklist’, similar to a local or temporary certificaterevocation list (CRL). For nodes which are placed on the blacklist,additional ‘disregard this vehicle’ messages will be broadcast to othervehicles. Typically, the majority vote principle is used to decide whento deem another vehicle untrustworthy and to send a warning messageabout this untrusted vehicle.

A majority vote detection mechanism relies on an ‘honest majority’:every node must have more good neighbors than bad. Therefore, localcommunication graph structure can have a significant effect on thedynamics of the voter model, see, e.g., V. Sood, T. Antal, S. Redner,“Voter models on heterogeneous networks”, Phys. Rev. E, April 2008. Badnodes can eliminate good nodes if they form a local majority. Good nodescan eliminate bad nodes if they have a local majority. Specifically,they can send sufficiently many ‘warning’ and/or ‘disregard’ messages inLEAVE, for example.

For V2V communications, consider the following threat model: attackerscan disseminate false messages and abuse the elimination mechanism.Furthermore, multiple attackers can collude.

In a sacrifice' based model, any vehicle can evict any other vehicle bysimultaneously agreeing to limit its own participation in future V2Vcommunications hence giving his decision more credibility. Therefore, inthis scheme it is easier to evict a node than in a vote-based mechanismwhere a majority votes from multiple vehicles are used to decide whetherto evict a vehicle. However, abuse of this mechanism is made more costlyby forcing simultaneous removal of the accuser: ‘Disregard’ messages byan accuser cause simultaneous disregard of both the suspected node andits accuser.

The prior art fails to address how to determine how many maliciousvehicles can the vehicle network tolerate before the innocent vehiclesloss their ability to detect and evict malicious vehicles. The presentinvention has a provable bound on the number of malicious vehicles thesystem can tolerate before the system loses its ability to detect andevict malicious vehicles. This is important for determining how long themalicious detection and eviction method can continue to run before ithas to rely on other means, such as communications withinfrastructure-based intrusion detection systems, to eliminate themalicious vehicles.

SUMMARY OF THE INVENTION

Shortcomings of the prior art are also overcome and additionaladvantages are provided through the provision of a method foridentifying malicious vehicles. The method includes: maintaining, by aprocessor of a detective vehicle, a list comprising identifiers ofvehicles determined by the processor of the detective vehicle to have aninnocent status; selecting, by the processor of a detective vehicle, foreach sub-period of a predefined time period, a target vehicle from aplurality of vehicles, wherein the detective vehicle communicates eitherdirectly or indirectly with each vehicle of the plurality of vehiclesand accepts communications from the plurality of vehicles, wherein aportion of the plurality of vehicles and the detective vehicle arewithin a vehicle-to-vehicle communication range, and whereinvehicle-to-vehicle communication does not utilize infrastructure networkconnectivity; based on the selecting, obtaining, over avehicle-to-vehicle communication or a network connection, by theprocessor of the detective vehicle, messages regarding a status of thetarget vehicle; based on obtaining the messages, determining, by theprocessor of the detective vehicle, the status of the target vehicle,wherein the status is one of: malicious or innocent; and based ondetermining that the status of the target vehicle, notifying, by theprocessor of the detective vehicle, the vehicles associated with theidentifiers on the list of the determination.

Systems and methods relating to one or more aspects of the technique arealso described and may be claimed herein. Further, services relating toone or more aspects of the technique are also described and may beclaimed herein.

Additional features are realized through the techniques of the presentinvention. Other embodiments and aspects of the invention are describedin detail herein and are considered a part of the claimed invention.

BRIEF DESCRIPTION OF THE DRAWINGS

One or more aspects of the present invention are particularly pointedout and distinctly claimed as examples in the claims at the conclusionof the specification. The foregoing and objects, features, andadvantages of one or more aspects of the invention are apparent from thefollowing detailed description taken in conjunction with theaccompanying drawing.

FIG. 1 shows a system architecture for the invention.

FIG. 2 is a flow chart of actions taken by innocent vehicles.

FIG. 3 is a flow chart of actions by detective vehicles.

FIG. 4 is a technical environment into which aspects of embodiments ofthe present invention may be implemented.

FIG. 5 depicts a computer system configured to perform an aspect of anembodiment of the present invention.

FIG. 6 depicts a computer program product incorporating one or moreaspects of the present invention.

DETAILED DESCRIPTION

Aspects of the present invention and certain features, advantages, anddetails thereof, are explained more fully below with reference to thenon-limiting examples illustrated in the accompanying drawings.Descriptions of well-known materials, fabrication tools, processingtechniques, etc., are omitted so as not to unnecessarily obscure theinvention in detail. It should be understood, however, that the detaileddescription and the specific examples, while indicating aspects of theinvention, are given by way of illustration only, and not by way oflimitation. Various substitutions, modifications, additions, and/orarrangements, within the spirit and/or scope of the underlying inventiveconcepts will be apparent to those skilled in the art from thisdisclosure. The terms software and program code are used interchangeablythroughout this application and can refer to logic executed by bothhardware and software. Components of the system that can be utilized toexecute aspects of embodiments of the present invention may includespecialized hardware, including but not limited to, an FPGA and a GPU(graphics professor unit). Additionally, items denoted as processors mayinclude hardware and/or software processors or other processing means,including but not limited to a software defined radio and/or customhardware.

The present invention provides an approach that combines the vote andthe sacrifice principles using a mathematical model called the “MafiaGame”. The Mafia Game model focuses on the relative size of the group ofattackers within a neighborhood necessary to dominate the entire networkin the neighborhood (i.e., to eventually evict all the innocentvehicles). This combined approach does not lead to a false decisionprobability which the vote and the sacrifice mechanisms have to address.Furthermore, a low level of mobile or fixed infrastructure networkconnectivity could significantly increase the performance of theproposed approach.

In a vehicle communication network, some vehicles may be used byattackers to send false information to other vehicles which mayjeopardize the safety of other vehicles. For example, a maliciousvehicle may broadcast erroneous emergency break light messages to causeneighboring vehicles to think the malicious vehicle is breaking hard sothe other vehicles will also have to reduce their speeds suddenly, whichmay cause accidents.

Vehicles should be able to detect malicious communications activitiesand to mitigate the impact of malicious vehicles by evicting(eliminating) suspected malicious vehicles from the system. Evicting avehicle is to ignore the messages sent from the vehicle for a specifiedtime period.

Such malicious behavior detection and mitigation methods can allowvehicles to communicate securely without being excessively impacted bymalicious activities without relying on infrastructure networkconnectivity.

The present invention combines the voting and the sacrifice principlesusing a mathematical model based on the “Mafia Game”. The Mafia Gamemodel focuses on the relative size of the group of attackers within aneighborhood necessary to dominate the entire network in theneighborhood (i.e., to eventually evict all the innocent vehicles). Thiscombined approach does not need to a false decision probability whichthe vote and the sacrifice mechanisms have to address. Furthermore, alow level of mobile or fixed infrastructure network connectivity couldsignificantly increase the performance of the proposed approach.

The method for detecting and evicting malicious vehicles enablesvehicles to have secure communications for significantly longer time,compared to prior art PKI solutions, before having to communicate withCertificate Authorities and therefore significantly reducing reliance onroadside infrastructure networks. This translates to a significantlysmall number of roadside network access points (base stations) that willbe required to support the PKI operations for V2V communications, hencesignificantly reducing the costs of system deployment.

The proposed method has a provable bound on the number of maliciousvehicles the system can tolerate before the system loses its ability todetect and evict malicious vehicles.

Connecting Mafia Game Theory to designing a practical PKI solution forV2V communications has not been described elsewhere.

Referring to FIG. 1, although this figure shows the vehicles mentionedherein as cars, these vehicles are merely presented as an example of apossible vehicle into which aspects of the present invention may beimplemented or may utilize various aspects of some embodiments of thepresent invention. Vehicles may include, but are not limited to, cars,planes, and/or drones. These vehicles may include drivers or may bedriverless. As shown in the system architecture in FIG. 1, vehicles areclassified into the following categories:

Malicious (Mafia) vehicles 100 are vehicles that have been detected tobehave significantly differently from the behaviors designed by thevehicle manufacturers. Malicious vehicles are assumed to have fullknowledge of who the other malicious vehicles in a neighborhood are.That is, collusion among malicious vehicles is possible. Throughcollusion, “Malicious” vehicles can create a local majority to eliminatea non-Malicious vehicle. “Malicious” vehicles can adapt their behaviorsto that of Innocent vehicles so that they can postpone detection. Inother words, they do not have to behave malicious all the time.

Innocent vehicles 102 are vehicles that behave as designed by thevehicle manufacturers.

Detective vehicles 104 are innocent vehicles that have the ability todetect whether another vehicle is innocent or malicious.

Vigilante vehicles are vehicles deemed/verified by the detectivevehicles as innocent vehicles.

Resident vehicles 106 are vehicles of all categories combined in a givenregion or neighborhood.

Applying the Mafia Game model to a V2V communications network, thevehicles can be viewed to be playing a game consisting of the followingiterations or rounds:

1) Resident vehicles' Turn: Referring to FIG. 2, all Resident vehiclespick a vehicle to eliminate by majority vote 200. Each resident vehiclevotes 202 to eliminate one vehicle. The votes from the Resident vehiclesare received by the other vehicles 204. The vehicle receiving the mostvotes is then eliminated 206. In case of a tie, a vehicle is chosenuniformly at random from the vehicles receiving the maximum number ofvotes. The identity of the eliminated vehicle is revealed publicly viadissemination of a “Disregard” message.

2) Malicious vehicles' Turn: Malicious vehicles choose an innocentvehicle to eliminate. The only information announced publicly by themalicious vehicles will be the identity of the vehicle eliminated andwhether it was a detective vehicle or not. Again, the result can bedisseminated via a “Disregard” message.

3) Detective's Turn (if there are detective vehicles): Each detectivevehicle acquires the Malicious or Innocent status of a vehicle. Thisstatus is then revealed only to the Detective vehicles. Detectives, forinstance, can be police vehicles. Here, the Detective vehicle maycollect messages from other vehicles and may communicate withinfrastructure-based servers to help determine whether another vehicleis malicious or not.

After round t, there are R_(t)=R−2t Resident vehicles in the system. Andthe Mafia Game has two possible outcomes:

The “Innocent” vehicles win if all “Mafia” vehicles have been eliminatedand there are still “Innocent” vehicles alive.

The “Mafia” vehicles win if all “Innocent” vehicles have been eliminatedwhen there are still “Mafia” vehicles alive.

Next, here are analysis results on the performance of the scheme. Foranalysis purpose, the following assumptions are made:

a) In the game without “Detective” vehicles, assume that all “Resident”vehicles can send a message to all other Resident vehiclessimultaneously. This is primarily to assure later votes are notinfluenced by earlier ones. Otherwise, Mafia vehicles may be able toinfluence the majority vote in the all-vehicle Residents round, toeliminate an Innocent vehicle with greater likelihood. This can beachieved using cryptographic protocols, for example.

b) In the game with Detectives, we assume that Residents can voteanonymously and the Residents can securely exchange messages, e.g. usinga PKI system, with anonymized certificates.

The anonymous vote is used to coordinate votes of the Vigilante vehicleswith the other (at least the Innocent) vehicles. Each Resident vehiclestill announces its vote in a plurality vote. The anonymous vote isnecessary to keep the identity of Vigilante vehicles unknown tonon-Vigilante vehicles, in particular, unknown to Mafia vehicles. Inthis sense, the Vigilante vehicles are indeed an ‘Anti-Mafia’. Thecryptographic assumptions, in particular the anonymous pre-communicationround, can be removed, if there are a simple majority of Vigilantevehicles among the Resident vehicles. This is easier to achieve whenthere are multiple, say d detectives: In particular, for any ε>0, thereis a d such that d detectives have a probability of winning of at least1−ε against a mafia of size (½−ε) R.

Now it will be shown that voting will take a bounded number ofsub-rounds that is polynomial in the number of “Resident” vehicles. Thisassumption can be satisfied even if the vehicles' votes need to bepropagated over several hops, i.e., when not all vehicles are withinone-hop broadcast range with each other. Furthermore, the number ofcomputational steps each vehicle can take between rounds is also boundedby a polynomial in the number of residents.

The optimal strategies in the game without detectives are given asfollows:

Innocent Vehicle's Optimal Strategy: In iteration t, each “Resident”vehicle 1≤s≤R_(t) picks a random vehicle to eliminate. As long as the“Innocent” vehicles have the majority in each Residents round, a randomresident vehicle will be eliminated.

Malicious Vehicle's Optimal Strategy: As long as the “Innocent” vehicleshave the majority, the “Mafia” vehicles may as well follow the samestrategy of choosing a random innocent in each Residents round.

The following results about a network with R Resident vehicles can bederived based on analysis related to the Mafia Games:

In the game without Detectives: Malicious vehicles will surely lose ifthe number of them is lower than the order of √{square root over (R)},have a comparable chance of winning if the number of them is in theorder of √{square root over (R)}, and win if the number of them islarger than order √{square root over (R)}.

In the game with d≥1 Detectives, The probability of the Maliciousvehicles winning is only comparable to the Innocent's winning when thereare at least ηR. Malicious vehicles, for some constant η that satisfies0<η≤1.

The above results provide several significant insights that provide asolid foundation for designing a V2V security system without roadsideinfrastructure networks. These insights include, for example, if it ispossible to design a malicious vehicle detection and eviction approachso the number of malicious vehicles is kept below their critical mass(for example in the order of √{square root over (R)} or ηR with zero orone Detective vehicle), the system will be able to quickly evict themalicious vehicles and maintain safe and secure communicationscontinuously. Also, the addition of a single infrastructure node cansignificantly decrease the power of Malicious vehicles.

Establishing a ‘white list’ of vigilante vehicles, which are knowninnocent vehicles rather than distributing more “Disregard” messages orCRLs can be a more effective approach to increase the chance of winningfor the Innocents.

In some embodiments of the present invention, various vehicles within aV2V network may distribute the white list (i.e., a core of trustedvehicles), to other vehicles that the come into contact with duringshifts in vehicles in a given V2V network. For example, a vehicles maydistribute the white list to a group on initially untrusted vehicles.This list can be communicated over multiple hops and not just directlyutilizing the V2V connection.

Furthermore, the suicide of the Detective is particularly powerful, asopposed to the solitary act considered in other mechanisms. Thissolitary sacrifice is one interpretation of the elimination processafter majority vote, which bypasses the need to model false decisionprobabilities.

With one Detective vehicle, the optimal game for the Innocent vehicleswill be the following:

Suppose there is a single Detective vehicle. Referring to FIG. 3, duringthe first √{square root over (ηR)} rounds, the detective collectsinformation about vehicles at random 300. The other Innocents vote ineach round to eliminate a vehicle at random. After √{square root over(ηR)} rounds, the Detective compiles a √{square root over (ηR)} list Vof so-called “Vigilante” vehicles that are vehicles known to beInnocents 302. At this stage, the number of Vigilantes |^(V)| should belarger than the number of Malicious (Mafia) vehicles |M| (since √{squareroot over (η)}>η for 0<η<1). The group of Vigilantes acts as an“anti-Mafia”. The Detective encrypts the list of Vigilantes, and sendsthe encrypted list to each member of V so that the Vigilantes know whichvehicles are also Vigilantes 304. The Detective then asks everyone toeliminate him. Upon being eliminated, the identity of the Detective isrevealed, and therefore each Vigilante knows that the messages andencrypted list they have received is genuine.

Once the detective is evicted, in each round, the highest ranking(numbered) member of V selects a member outside of V to be eliminated,and communicates to the other members of V the identity of the vehicleto be eliminated, say p. All Innocent vehicles abstain from voting in asecure anonymous vote to coordinate/select the next vehicle p toeliminate. After this pre-communication round, every non-Mafia vehiclesends a ‘Disregard-p’ message.

This shows that a single Detective vehicle can significantly increasethe number of Malicious vehicles needed to dominate the game to ηR,0<η<1 from √{square root over (R)}.

Therefore, an enhanced malicious vehicle detection and eviction methodis as followings:

[1] Consider an arbitrary geographical region.

[2] Time is divided into time periods of equal or variable lengths.

[3] For each time period: 10

a. The Resident vehicles in the region pick one vehicle to eliminate bymajority vote. Each Resident vehicle picks one vehicle it wants toeliminate and sends out its vote in a message to other vehicles. Thevehicle receiving the most votes is eliminated. In case of a tie, avehicle is chosen uniformly at random from the vehicles receiving themaximum number of votes. The identity of the eliminated vehicle isrevealed publicly via dissemination of a “Disregard” message. If theeliminated vehicle is a Detective vehicle, this fact is revealed aswell.

b. For each time period T: Each Detective vehicle acquires the“Malicious” or “Innocent” status of a single randomly selected vehicle.This status is then revealed only to the Detective vehicles. Here, theDetective vehicle may collect messages from other vehicles and maycommunicate with infrastructure-based servers to help determine whetheranother vehicle is malicious or not.

[4] During the first √{square root over (ηR)} time periods (rounds), theDetective vehicle compiles and maintains an up to date “white list” V of“Vigilante” vehicles. At this stage, the number of Vigilantes |V| shouldbe larger than the number of Malicious vehicles |M| (since √{square rootover (η)}>η for 0<η<1). The Detective vehicle encrypts the white list ofVigilantes and sends the encrypted list to each member of V so that theVigilante vehicles know which other vehicles are also vigilantes. TheDetective vehicle then asks other vehicles to eliminate itself bysending out a “Disregard” message revealing its own identity. Upon beingeliminated, the identity of the detective is revealed, and thereforeeach Vigilante vehicles know that the messages and encrypted list whitelist” they have received is genuine.

[5] Once the Detective vehicle is evicted, the white list of Vigilantevehicles is known to be genuine, and can be acted upon. In each timeperiod (round), the highest ranking (numbered) member of V selects amember outside of V to be eliminated by sending a “Disregard” message toall vehicles in V. All innocent vehicles abstain from voting in a secureanonymous vote to coordinate on the next vehicle p to eliminate. AllVigilante vehicles vote for p. After this round, all vehicles vote for pin the majority vote, and ‘Disregard-p’ messages are sent. This showsthat a single Detective vehicle to significantly increase the number ofmalicious vehicles needed to dominate the game to ηR, 0<η<1 from√{square root over (R)}.

In an embodiment of the present invention where detective vehicles arepresent, the communication capabilities of the vehicles are not limitedto communicating directly with vehicles within a V2V network. Rather,the detective vehicles can communicate with each other, other vehicles,and other computing devices, even if the communications involve multiplehops. Thus, in embodiments of the present invention, vehicles maycommunicate over established networks as well as self-forming meshnetworks, wired and/or wireless, including but not limited to, fieldarea networks.

Various aspects of the present disclosure may be embodied as a program,software, or computer instructions embodied in a computer or machineusable or readable medium, which causes the computer or machine toperform the steps of the method when executed on the computer,processor, and/or machine.

The system and method of the present disclosure may be implemented andrun on a general-purpose computer or computer system. The computersystem may be any type of known or will be known systems and maytypically include a processor, memory device, a storage device,input/output devices, internal buses, and/or a communications interfacefor communicating with other computer systems in conjunction withcommunication hardware and software, etc. A module may be a component ofa device, software, program, or system that implements some“functionality”, which can be embodied as software, hardware, firmware,electronic circuitry, or etc.

Embodiments of the present invention include a method for vehicles todetect and evict malicious vehicles in a vehicle-to-vehiclecommunications network using the Mafia Game theory that includesmalicious mafia vehicles that have been detected to behave significantlydifferently from the behaviors designed by the vehicle manufacturers,innocent vehicles that behave as designed by the vehicle manufacturers,vigilante vehicles that are deemed or verified by a detective vehicle asan innocent vehicle which is a vigilante vehicle, and detective vehiclesthat are innocent vehicles that have the ability to detect whetheranother vehicle is an innocent vehicle or a malicious vehicle, or avigilant vehicle, where resident vehicles are vehicles of all categoriesin a region.

In some embodiments of the present invention, the time is divided intoperiods and during each time period the innocent vehicles will pick avehicle to eliminate by majority vote and each innocent vehicle votes toeliminate one vehicle in each time period.

In some embodiments of the present invention, each innocent vehiclereceives votes from other vehicles in each time period and eliminatesthe vehicle that has received the most votes. In case of a tie, avehicle is chosen uniformly at random from the vehicles receiving themaximum number of votes.

In some embodiments of the present invention, a vehicle reveals theidentity of the eliminated vehicle by sending a “DISREGARD” message toall other vehicles in the region.

In some embodiments of the present invention, malicious vehicles canalso behave as the innocent vehicles and choose an innocent vehicle toeliminate in each time period.

In some embodiments of the present invention, a malicious vehiclereveals the identity of the vehicle eliminated and whether theeliminated vehicle was a detective vehicle or not by sending a“DISREGARD” message to other vehicles.

In some embodiments of the present invention, each detective vehicleacquires the malicious or innocent status of a vehicle and then revealsthe status to only other detective vehicles by sending a secure messageto the other detective vehicles.

In some embodiments of the present invention, the first √{square rootover (ηR)} time periods where R is the total number of vehicles in theregion and is a constant value between zero and one, a detective vehiclecompiles and maintains an up to date “white list” of vigilante vehicles,encrypts the up-to date white list or changes to the white list, andsends the encrypted list to each vigilante vehicle on the white list.

In some embodiments of the present invention, the detective vehiclerequests other vehicles to eliminate itself and reveals its identity bysending a “DISREGARD” message to the other vehicles.

In some embodiments of the present invention, in each time period, thehighest ranking numbered member of V selects a member outside of V to beeliminated, and communicates to the other members of V the identity ofthe vehicle to be eliminated, say p where all innocent vehicles abstainfrom voting in a secure anonymous vote to coordinate/select the nextvehicle p to eliminate after this pre-communication round, every(non-Mafia) vehicle sends a ‘Disregard-p’ message.

Embodiments of the present invention include a computer-implementedmethod, a computer program product, and a computer system for detectinga malicious vehicle. Embodiments of the present invention includes oneor more programs executed by one or more processors that select, foreach sub-period of a predefined time period, a target vehicle from aplurality of vehicles, where the processor is a processor of a detectivevehicle, where the plurality of vehicles and the detective vehicle arewithin a vehicle-to-vehicle communication range, and wherevehicle-to-vehicle communication does not utilize infrastructure networkconnectivity. Based on the selecting, the one or more programs obtainmessages regarding a status of the target vehicle from at least one of:a group of vehicles from the plurality of vehicles, or aninfrastructure-based server accessible to the target vehicle via anetwork connection, where the detective vehicle and each vehicle of theplurality of vehicles has a sporadic connection or no connection to theinfrastructure-based server. Based on obtaining the messages, one ormore programs determine the status of the target vehicle, where thestatus is one of: malicious or innocent, where a vehicle with amalicious status sends erroneous messages the plurality of vehicles, andwhere a vehicle with an innocent status sends correct messages to theplurality of vehicles based on determining that the status of the targetvehicle is innocent, retaining an identifier of the target vehicle on alist comprising identifiers of vehicles determined by the processor tohave the innocent status; and based on the predefined time periodelapsing, the one or more programs provide the list to the vehiclesassociated with the identifiers on the list.

In some embodiments of the present invention, the one or more programsobtain, utilizing a processor of a first vehicle of the plurality ofvehicles, a message from a second vehicle of the plurality of vehicles,where an identifier associated with the first vehicle is on the list,and where an identifier associated with the second vehicle is not on thelist. The one or more programs obtain, using the processor of the firstvehicle, the list. Based on the obtaining of the list and the obtainingof the message, the one or more programs select, utilizing the processorof the first vehicle, during a sub-period of a second predefined timeperiod, the second vehicle. After obtaining the list, the one or moreprograms reject, utilizing the processor of the first vehicle, furthercommunications sent by the detective vehicle.

In some embodiments of the present invention, the one or more programsprovide a communication to the vehicles associated with the identifierson the list, wherein the communication comprises identifying thedetective vehicle as a detective vehicle.

In some embodiments of the present invention, the predefined time periodcomprises √{square root over (ηR)} sub-periods, where R comprises atotal number of vehicles of the plurality of vehicles in and η comprisesa constant value between 0 and 1, and where, for each sub-period, thelist is updated by the detective vehicle.

In some embodiments of the present invention, the one or more programs,prior to the providing, encrypt, by the processor, the list, where thevehicles associated with the identifiers on the list can decrypt thelist with certificates. The one or more programs provide a request tothe vehicles associated with the identifiers on the list to rejectfuture communications from the detective vehicle for a specified timeperiod.

In some embodiments of the present invention, based on the selecting,the one or more programs obtain, utilizing the processor of the firstvehicle, messages regarding a status of the second vehicle from thevehicles associated with the identifiers on the list. Based on obtainingthe messages, the one or more programs determine that the status of thesecond vehicle is malicious and rejecting future vehicle-to-vehiclecommunications from the second vehicle for a specified time period. Theone or more programs notify, utilizing the processor of the firstvehicle, the vehicles associated with the identifiers on the list, thatthe status of the second vehicle is malicious.

In some embodiments of the present invention, the providing includesproviding the list to a first vehicle of the plurality of vehicles,where an identifier associated with the first vehicle is on the list,the method further includes: the one or more programs sending avehicle-to-vehicle communication to the first vehicle after theproviding and subsequent to the sending, obtaining a rejection from thefirst vehicle of the vehicle-to-vehicle communication from the detectivevehicle.

In some embodiments of the present invention, the one or more programs,subsequent to a specified time period, send a second vehicle-to-vehiclecommunication to the first vehicle and subsequent to the sending, theone or more programs obtain an acceptance from the first vehicle of athe second vehicle-to-vehicle communications from the detective vehicle.

In some embodiments of the present invention, at least one of thedetective vehicle, the first vehicle, or the second vehicle is anunmanned aerial vehicle.

Some embodiments of the present invention include various systems andmethods of notifying vehicles of the statuses or presumed statuses ofvarious vehicles. The vehicles communicating with each other, either viaV2V communication channel or via one or more hops on a self-formingcommunications network, such as a mesh network or a FAN, change based ontemporal shifts. Because various vehicles come into contact with othervehicles often, a first vehicle may benefit from information from asecond vehicle, about a third vehicle, because the second vehicle, whichhas not been in contact with the first vehicle, may come into contactwith the third vehicle, at some point in the future. For example, if thefirst vehicle is aware, based on various aspects of the presentinvention, that the third vehicle is malicious, the first vehicle mayconvey that information to the second vehicle. Although the secondvehicle is not in contact with the first vehicle upon receipt of thisnotification, should the third vehicle attempt contact with the secondvehicle, based on the notification from the first vehicle, the thirdvehicle may refuse this contact. The second vehicle may also, in turn,warn additional vehicles about the malicious status of the thirdvehicle. In this manner, vehicles that communicate with each other mayform a swarm, and provide decentralized intelligence to each other andto other vehicles.

In embodiments of the present invention, one or more vehicles mayutilize a dynamic white list as a notification list. When newdiscoveries are made regarding various vehicles, a member of the whitelist may seek to distribute this additional information to othervehicles on the white list. A challenge of distributing this informationis that at the time that the new information is available, the vehicledistributing the information may no longer be in V2V contact with atleast one client on the white list. Thus, one or more programs executingon at least one processor in the vehicle may not only communicate alertsto vehicles communicating with that initial vehicle over a V2Vconnection, the one or more programs may also utilize networks betweenvarious vehicles, including self-forming mesh networks, to conveyinformation to vehicles on the notification list (the white list) thatare more than one hop away. One or more programs executing on a devicein a given vehicle may address a message to a given vehicle and themessage can be forwarded through multiple nodes until the messagereaches the destination.

In order to secure a message traveling to a destination over multiplehops, in an embodiment of the present invention, each member of a whitelist may utilize a method of encryption and/or decryption so thatupdates, if intercepted during hops, cannot be understood by computingsystems that are not on the white list. For example, when in V2Vcommunication, a vehicle may distribute an encryption key to members ofthe white list. When the one or more programs in a given vehicle send anupdate, for example, updating the clients on the white list, the one ormore programs may first encrypt the transmission, such that onlyvehicles with keys can decrypt the transmission. Each vehicle with a keycan both encrypt transmissions before sending them to other vehicles anddecrypt transmissions received from other vehicles.

FIG. 4 is an example of how a vehicle in a given network can utilize oneor more hops in order to communicate a notification to another vehicle.In this example, the vehicles depicted are drones, but as explainedearlier, this is merely one example of vehicles that can be utilized inembodiments of the present invention. As illustrated in FIG. 4, the“hops” to communicate between vehicles may represent other vehicles orother network entities, such as routers, switches, and Internet ofThings (IoT) devices that can be utilized to route a notification. Byway of example, FIG. 4 depicts four vehicles, 410 420 430 440, and onevehicle 420 is sending an alert to a distribution list that includes theremaining vehicles 410 430 440. The messaging vehicle 420 cancommunicate with a first vehicle on the distribution list 430, via V2Vcommunications. However, in order to convey the message to the second440 and third 410 recipients on the distribution list (e.g., the whitelist), the message travels over hops in a self-forming mesh network. Inthis example, the first vehicle on the distribution list 430 relays themessage from the messaging vehicle 420 to the second 440 and third 410recipients, through various computing devices, including a wirelessaccess point 415, a switch 425, and two routers 435 445.

FIG. 5 illustrates a block diagram of a resource 400 in computer system,such as, which is part of the technical architecture of certainembodiments of the technique. Returning to FIG. 5, the resource 400 mayinclude a circuitry 502 that may in certain embodiments include amicroprocessor 504. The computer system 400 may also include a memory506 (e.g., a volatile memory device), and storage 508. The storage 508may include a non-volatile memory device (e.g., EEPROM, ROM, PROM, RAM,DRAM, SRAM, flash, firmware, programmable logic, etc.), magnetic diskdrive, optical disk drive, tape drive, etc. The storage 508 may comprisean internal storage device, an attached storage device and/or a networkaccessible storage device. The system 400 may include a program logic510 including code 512 that may be loaded into the memory 506 andexecuted by the microprocessor 504 or circuitry 502.

In certain embodiments, the program logic 510 including code 512 may bestored in the storage 508, or memory 506. In certain other embodiments,the program logic 510 may be implemented in the circuitry 502.Therefore, while FIG. 5 shows the program logic 510 separately from theother elements, the program logic 510 may be implemented in the memory506 and/or the circuitry 502. The program logic 510 may include theprogram code discussed in this disclosure that facilitates thereconfiguration of elements of various computer networks, includingthose in various figures.

Using the processing resources of a resource 400 to execute software,computer-readable code or instructions, does not limit where this codecan be stored. Referring to FIG. 6, in one example, a computer programproduct 500 includes, for instance, one or more non-transitory computerreadable storage media 602 to store computer readable program code meansor logic 604 thereon to provide and facilitate one or more aspects ofthe technique.

As will be appreciated by one skilled in the art, aspects of thetechnique may be embodied as a system, method or computer programproduct. Accordingly, aspects of the technique may take the form of anentirely hardware embodiment, an entirely software embodiment (includingfirmware, resident software, micro-code, etc.) or an embodimentcombining software and hardware aspects that may all generally bereferred to herein as a “circuit,” “module” or “system”. Furthermore,aspects of the technique may take the form of a computer program productembodied in one or more computer readable medium(s) having computerreadable program code embodied thereon.

Any combination of one or more computer readable medium(s) may beutilized. The computer readable medium may be a computer readable signalmedium or a computer readable storage medium. A computer readable signalmedium may include a propagated data signal with computer readableprogram code embodied therein, for example, in baseband or as part of acarrier wave. Such a propagated signal may take any of a variety offorms, including, but not limited to, electro-magnetic, optical or anysuitable combination thereof. A computer readable signal medium may beany computer readable medium that is not a computer readable storagemedium and that can communicate, propagate, or transport a program foruse by or in connection with an instruction execution system, apparatusor device.

A computer readable storage medium may be, for example, but not limitedto, an electronic, magnetic, optical, electromagnetic, infrared orsemiconductor system, apparatus, or device, or any suitable combinationof the foregoing. More specific examples (a non-exhaustive list) of thecomputer readable storage medium include the following: an electricalconnection having one or more wires, a portable computer diskette, ahard disk, a random access memory (RAM), a read-only memory (ROM), anerasable programmable read-only memory (EPROM or Flash memory), anoptical fiber, a portable compact disc read-only memory (CD-ROM), anoptical storage device, a magnetic storage device, or any suitablecombination of the foregoing. In the context of this document, acomputer readable storage medium may be any tangible medium that cancontain or store a program for use by or in connection with aninstruction execution system, apparatus, or device.

Any combination of one or more computer readable medium(s) may beutilized. The computer readable medium may be a computer readable signalmedium or a computer readable storage medium. A computer readable signalmedium may include a propagated data signal with computer readableprogram code embodied therein, for example, in baseband or as part of acarrier wave. Such a propagated signal may take any of a variety offorms, including, but not limited to, electro-magnetic, optical or anysuitable combination thereof. A computer readable signal medium may beany computer readable medium that is not a computer readable storagemedium and that can communicate, propagate, or transport a program foruse by or in connection with an instruction execution system, apparatusor device.

Program code embodied on a computer readable medium may be transmittedusing an appropriate medium, including but not limited to wireless,wireline, optical fiber cable, RF, etc., or any suitable combination ofthe foregoing.

Computer program code for carrying out operations for aspects of thetechnique may be written in any combination of one or more programminglanguages, including an object oriented programming language, such asJava, Smalltalk, C++ or the like, and conventional proceduralprogramming languages, such as the “C” programming language, PHP, ASP,assembler or similar programming languages, as well as functionalprogramming languages and languages for technical computing (e.g.,Matlab). The program code may execute entirely on the user's computer,partly on the user's computer, as a stand-alone software package, partlyon the user's computer and partly on a remote computer or entirely onthe remote computer or server. In the latter scenario, the remotecomputer may be connected to the user's computer through any type ofnetwork, including a local area network (LAN) or a wide area network(WAN), or the connection may be made to an external computer (forexample, through the Internet using an Internet Service Provider).Furthermore, more than one computer can be used for implementing theprogram code, including, but not limited to, one or more resources in acloud computing environment.

Aspects of the technique are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems) and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer program instructions. These computer program instructions maybe provided to a processor of a general purpose computer, specialpurpose computer, or other programmable data processing apparatus toproduce a machine, such that the instructions, which execute via theprocessor of the computer or other programmable data processingapparatus, create means for implementing the functions/acts specified inthe flowchart and/or block diagram block or blocks.

These computer program instructions, also referred to as software and/orprogram code, may also be stored in a computer readable medium that candirect a computer, other programmable data processing apparatus, orother devices to function in a particular manner, such that theinstructions stored in the computer readable medium produce an articleof manufacture including instructions which implement the function/actspecified in the flowchart and/or block diagram block or blocks.

The computer program instructions may also be loaded onto a computer,other programmable data processing apparatus, or other devices to causea series of operational steps to be performed on the computer, otherprogrammable apparatus or other devices to produce a computerimplemented process such that the instructions which execute on thecomputer or other programmable apparatus provide processes forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks.

The flowchart and block diagrams in the figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousembodiments of the technique. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof code, which comprises one or more executable instructions forimplementing the specified logical function(s). It should also be notedthat, in some alternative implementations, the functions noted in theblock may occur out of the order noted in the figures. For example, twoblocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagrams and/or flowchart illustration, andcombinations of blocks in the block diagrams and/or flowchartillustration, can be implemented by special purpose hardware-basedsystems that perform the specified functions or acts, or combinations ofspecial purpose hardware and computer instructions.

In addition to the above, one or more aspects of the technique may beprovided, offered, deployed, managed, serviced, etc. by a serviceprovider who offers management of customer environments. For instance,the service provider can create, maintain, support, etc. computer codeand/or a computer infrastructure that performs one or more aspects ofthe technique for one or more customers. In return, the service providermay receive payment from the customer under a subscription and/or feeagreement, as examples. Additionally or alternatively, the serviceprovider may receive payment from the sale of advertising content to oneor more third parties.

In one aspect of the technique, an application may be deployed forperforming one or more aspects of the technique. As one example, thedeploying of an application comprises providing computer infrastructureoperable to perform one or more aspects of the technique.

As a further aspect of the technique, a computing infrastructure may bedeployed comprising integrating computer readable code into a computingsystem, in which the code in combination with the computing system iscapable of performing one or more aspects of the technique.

As yet a further aspect of the technique, a process for integratingcomputing infrastructure comprising integrating computer readable codeinto a computer system may be provided. The computer system comprises acomputer readable medium, in which the computer medium comprises one ormore aspects of the technique. The code in combination with the computersystem is capable of performing one or more aspects of the technique.

Further, other types of computing environments can benefit from one ormore aspects of the technique. As an example, an environment may includean emulator (e.g., software or other emulation mechanisms), in which aparticular architecture (including, for instance, instruction execution,architected functions, such as address translation, and architectedregisters) or a subset thereof is emulated (e.g., on a native computersystem having a processor and memory). In such an environment, one ormore emulation functions of the emulator can implement one or moreaspects of the technique, even though a computer executing the emulatormay have a different architecture than the capabilities being emulated.As one example, in emulation mode, the specific instruction or operationbeing emulated is decoded, and an appropriate emulation function isbuilt to implement the individual instruction or operation.

In an emulation environment, a host computer includes, for instance, amemory to store instructions and data; an instruction fetch unit tofetch instructions from memory and to optionally, provide localbuffering for the fetched instruction; an instruction decode unit toreceive the fetched instructions and to determine the type ofinstructions that have been fetched; and an instruction execution unitto execute the instructions. Execution may include loading data into aregister from memory; storing data back to memory from a register; orperforming some type of arithmetic or logical operation, as determinedby the decode unit. In one example, each unit is implemented insoftware. For instance, the operations being performed by the units areimplemented as one or more subroutines within emulator software.

Further, a data processing system suitable for storing and/or executingprogram code is usable that includes at least one processor coupleddirectly or indirectly to memory elements through a system bus. Thememory elements include, for instance, local memory employed duringactual execution of the program code, bulk storage, and cache memorywhich provide temporary storage of at least some program code in orderto reduce the number of times code must be retrieved from bulk storageduring execution.

Input/Output or I/O devices (including, but not limited to, keyboards,displays, pointing devices, DASD, tape, CDs, DVDs, thumb drives andother memory media, etc.) can be coupled to the system either directlyor through intervening I/O controllers. Network adapters may also becoupled to the system to enable the data processing system to becomecoupled to other data processing systems or remote printers or storagedevices through intervening private or public networks. Modems, cablemodems, and Ethernet cards are just a few of the available types ofnetwork adapters.

The terms “computer system” and “computer network” as may be used in thepresent application may include a variety of combinations of fixedand/or portable computer hardware, software, peripherals, and storagedevices. The computer system may include a plurality of individualcomponents that are networked or otherwise linked to performcollaboratively, or may include one or more stand-alone components. Thehardware and software components of the computer system of the presentapplication may include and may be included within fixed and portabledevices such as desktop, laptop, server, and/or embedded system.

While there has been described and illustrated a system and method fordetecting and evicting malicious vehicles in a vehicle communicationnetwork, it will be apparent to those skilled in the art thatmodifications and variations are possible without deviating from theprinciples and broad teachings of the present invention which shall belimited solely by the scope of the claims appended hereto.

The terminology used herein is for the purpose of describing particularembodiments only and is not intended to be limiting of the invention. Asused herein, the singular forms “a,” “an” and “the” are intended toinclude the plural forms as well, unless the context clearly indicatesotherwise. It will be further understood that the terms “comprises”and/or “comprising”, when used in this specification, specify thepresence of stated features, integers, steps, operations, elements,and/or components, but do not preclude the presence or addition of oneor more other features, integers, steps, operations, elements,components and/or groups thereof.

The corresponding structures, materials, acts, and equivalents of allmeans or steps plus function elements in the descriptions below, if any,are intended to include any structure, material, or act for performingthe function in combination with other elements as specifically noted.The description of the technique has been presented for purposes ofillustration and description, but is not intended to be exhaustive orlimited to the invention in the form disclosed. Many modifications andvariations will be apparent to those of ordinary skill in the artwithout departing from the scope and spirit of the invention. Theembodiment was chosen and described in order to best explain theprinciples of the invention and the practical application, and to enableothers of ordinary skill in the art to understand the invention forvarious embodiments with various modifications as are suited to theparticular uses contemplated.

The invention claimed is:
 1. A computer-implemented method comprising:maintaining, by a processor of a detective vehicle, a list comprisingidentifiers of vehicles determined by the processor of the detectivevehicle to have an innocent status; selecting, by the processor of adetective vehicle, for each sub-period of a predefined time period, atarget vehicle from a plurality of vehicles, wherein the detectivevehicle communicates either directly or indirectly with each vehicle ofthe plurality of vehicles and accepts communications from the pluralityof vehicles, wherein a portion of the plurality of vehicles and thedetective vehicle are within a vehicle-to-vehicle communication range,and wherein vehicle-to-vehicle communication does not utilizeinfrastructure network connectivity; based on the selecting, obtaining,over a vehicle-to-vehicle communication or a network connection, by theprocessor of the detective vehicle, messages regarding a status of thetarget vehicle; based on obtaining the messages, determining, by theprocessor of the detective vehicle, the status of the target vehicle,wherein the status is one of: malicious or innocent; and based ondetermining that the status of the target vehicle, notifying, by theprocessor of the detective vehicle, the vehicles associated with theidentifiers on the list of the determination.
 2. Thecomputer-implemented method of claim 1, wherein a vehicle with amalicious status sends erroneous messages the plurality of vehicles, andwherein a vehicle with an innocent status sends correct messages to theplurality of vehicles.
 3. The computer-implemented method of claim 1,further comprising: based on determining that the status of the targetvehicle is innocent, retaining an identifier of the target vehicle onthe list; and transmitting, by the processor of the detective vehicle,the list to the target vehicle.
 4. The computer-implemented method ofclaim 1, wherein the obtaining the messages comprises obtaining messagefrom at least one of: a group of vehicles from the plurality ofvehicles, or an infrastructure-based server accessible to the targetvehicle via a network connection, wherein the detective vehicle and eachvehicle of the plurality of vehicles has a sporadic connection or noconnection to the infrastructure-based server.
 5. Thecomputer-implemented method of claim 1, wherein the portion of theplurality of vehicles and the detective vehicle are within thevehicle-to-vehicle communication range comprise the vehicles associatedwith the identifiers on the list.
 6. The computer-implemented method ofclaim 1, the vehicles associated with the identifiers on the listcomprise vehicles in direct communication with the detective vehiclewithin the vehicle-to-vehicle communication range and in indirectcommunication with the detective vehicle over at least one hop on anetwork.
 7. The computer-implemented method of claim 6, wherein thenetwork is a self-forming mesh network.
 8. The computer-implementedmethod of claim 3, wherein the target vehicle is outside of thevehicle-to-vehicle communication range and accessible to the detectivevehicle over at least one hop.
 9. The computer-implemented method ofclaim 3, wherein the target vehicle is within the vehicle-to-vehiclecommunication range.
 10. The computer-implemented method of claim 1,further comprising: based on determining that the status of the targetvehicle is malicious, evicting the target vehicle from the plurality ofvehicles.
 11. The computer-implemented method of claim 10, wherein theevicting comprises: rejecting direct and indirect communications fromthe target vehicle: and severing ad-hoc network connections between thetarget vehicle and the detective vehicle.
 12. A computer program productfor detecting a malicious vehicle, the computer program productcomprising: a non-transitory computer readable storage medium readableby a processor and storing instructions for execution by the at leastone processor for performing a method comprising: maintaining, by aprocessor of a detective vehicle, a list comprising identifiers ofvehicles determined by the processor of the detective vehicle to have aninnocent status; selecting, by the processor of a detective vehicle, foreach sub-period of a predefined time period, a target vehicle from aplurality of vehicles, wherein the detective vehicle communicates eitherdirectly or indirectly with each vehicle of the plurality of vehiclesand accepts communications from the plurality of vehicles, wherein aportion of the plurality of vehicles and the detective vehicle arewithin a vehicle-to-vehicle communication range, and whereinvehicle-to-vehicle communication does not utilize infrastructure networkconnectivity; based on the selecting, obtaining, over avehicle-to-vehicle communication or a network connection, by theprocessor of the detective vehicle, messages regarding a status of thetarget vehicle; based on obtaining the messages, determining, by theprocessor of the detective vehicle, the status of the target vehicle,wherein the status is one of: malicious or innocent; and based ondetermining that the status of the target vehicle, notifying, by theprocessor of the detective vehicle, the vehicles associated with theidentifiers on the list of the determination.
 13. The computer programproduct of claim 12, wherein a vehicle with a malicious status sendserroneous messages the plurality of vehicles, and wherein a vehicle withan innocent status sends correct messages to the plurality of vehicles.14. The computer program product of claim 12, further comprising: basedon determining that the status of the target vehicle is innocent,retaining an identifier of the target vehicle on the list; andtransmitting, by the processor of the detective vehicle, the list to thetarget vehicle.
 15. The computer program product of claim 12, whereinthe obtaining the messages comprises obtaining message from at least oneof: a group of vehicles from the plurality of vehicles, or aninfrastructure-based server accessible to the target vehicle via anetwork connection, wherein the detective vehicle and each vehicle ofthe plurality of vehicles has a sporadic connection or no connection tothe infrastructure-based server.
 16. The computer program product ofclaim 12, wherein the portion of the plurality of vehicles and thedetective vehicle are within the vehicle-to-vehicle communication rangecomprise the vehicles associated with the identifiers on the list. 17.The computer program product of claim 12, the vehicles associated withthe identifiers on the list comprise vehicles in direct communicationwith the detective vehicle within the vehicle-to-vehicle communicationrange and in indirect communication with the detective vehicle over atleast one hop on a network.
 18. The computer program product of claim17, wherein the network is a self-forming mesh network.
 19. The computerprogram product of claim 14, wherein the target vehicle is outside ofthe vehicle-to-vehicle communication range and accessible to thedetective vehicle over at least one hop.
 20. A computer system fordetecting a malicious vehicle, the computer system comprising: a memory;and a processor in communications with the memory, wherein the computersystem is configured to perform a method, the method comprising:maintaining, by a processor of a detective vehicle, a list comprisingidentifiers of vehicles determined by the processor of the detectivevehicle to have an innocent status; selecting, by the processor of adetective vehicle, for each sub-period of a predefined time period, atarget vehicle from a plurality of vehicles, wherein the detectivevehicle communicates either directly or indirectly with each vehicle ofthe plurality of vehicles and accepts communications from the pluralityof vehicles, wherein a portion of the plurality of vehicles and thedetective vehicle are within a vehicle-to-vehicle communication range,and wherein vehicle-to-vehicle communication does not utilizeinfrastructure network connectivity; based on the selecting, obtaining,over a vehicle-to-vehicle communication or a network connection, by theprocessor of the detective vehicle, messages regarding a status of thetarget vehicle; based on obtaining the messages, determining, by theprocessor of the detective vehicle, the status of the target vehicle,wherein the status is one of: malicious or innocent; and based ondetermining that the status of the target vehicle, notifying, by theprocessor of the detective vehicle, the vehicles associated with theidentifiers on the list of the determination.